A new report on CISOs examines the impact of continued stress on the mental health and personal lives of CISOs, and drills down into the causes of stress including poor work life balance and a lack of support from the board.
The role of the Chief Information Security Officers (CISOs) is one dotted with challenges. After all, the responsibility of protecting an organization’s data, battling with the ever-evolving threat landscape, managing resources and business alignment are quite some tasks. It goes without saying that, while a CISO’s job can prove exciting and rewarding, it can come with high levels of stress and feelings of burnout. And that’s exactly what has been highlighted in a recent report by Nominet that looks at the impact of continued stress on the mental health and personal lives of CISOs, and drills down into the causes of stress including poor work life balance and a lack of support from the board. (Read the full report here)
The results are based on interviews with 800 online surveys with C-Suite executives and CISOs in organizations, with questions focusing on the challenges of the CISOs role and how work stress is impacting CISO health and damaging relationships.
Here are some interesting findings from the report:
1. CISO stress levels remain high: The vast majority of CISOs remain moderately or tremendously stressed. This report shows that this stress is now taking a greater toll on CISOs’ mental and physical health, and their personal relationships. This also has negative effects for organizations, as it has a measurable impact on the CISO’s ability to execute their role and results in burnout, with the average tenure of a CISO being just 26 months.
For example, 48% of CISOs said work stress has had a detrimental impact on their mental health, almost twice as high as last year, whilst 31% reported that stress had impacted their physical health. What’s more, 40% of CISOs admitted that stress levels had affected their relationships with their families, with just under a third (32%) stating it had repercussions on their marriage, romantic relationships and personal friendships (up from 23%). In terms of coping mechanisms, the number of CISOs turning to mediation or alcohol as a result of stress has increased to 23%.
“While we hoped that the job of the CISO had improved in the past year, it’s simply not the case. We are potentially heading towards a burnout crisis if the very people who we are relying on to keep businesses secure are operating under mounting pressure. CISO stress is on the rise – with almost 90% moderately or tremendously affected – and it’s taking a greater toll on their personal lives and well-being,” said Russell Haworth, CEO, Nominet.
“Not only is this harming the lives of CISOs but it will ultimately make it harder to retain staff, catch attacks early and improve security. It is worrying that at board level, understanding of these pressures appears not to have translated into action,” added Haworth.
2. Poor work-life balance is a key contributor to stress: Almost all CISOs are working beyond their contracted hours, on average by 10 hours per week. Even when they are not at work, they are unable to switch off, and this means their personal lives are disrupted. CISOs reported missing family birthdays, vacations, weddings and even funerals. They’re also not taking their annual leave, sick days or time for medical appointments – contributing to physical and mental health problems.
Almost three-quarters (71%) of CISOs said their work-life balance was heavily weighed towards work, with 95% working more than their weekly contracted hours (something that 87% of CISOs felt compelled to do by their organization). As many as 83% of CISOs admitted to spending half their evenings and weekends thinking about work, with just 2% always able to switch off from work outside of the office. Interestingly, almost all surveyed CISOs (90%) would opt for a pay cut if it improved their work-life balance.
Dr Dimitrios Tsivrikos, Lecturer in Consumer and Business Psychology, University College London commented, “Given the unstable political, social and technological challenges that we are facing in the new decade, it is unsurprising to see that individuals working in this sector (CISOs) are incredibly stressed. This is very much in line with key psychological findings concerning people working in the security and technology sector and, most likely, we anticipate that these individuals will be reporting some of the highest levels of stress within the industry.
“Indeed, work-life balance is one of the key components that may contribute to work stress, and a closer look into lifestyle choices, and realizing that people in this industry can provide a great insight will help us to understand how we can support such individuals,” he said.
3. C-Suite understanding is improving but action is not forthcoming: The board’s understanding of cyber security is increasing. They grasp the risk it poses to their organization, they know it could cost them their job, and they even recognize that the CISO is under a lot of stress. However, they consistently underestimate the impact that stress and long-hours are having on the CISO and – in fact – want the CISO to deliver more value to the business. This burden of responsibility and a perceived lack of support from the board is also a key contributor to CISO stress.
However, it’s not just CISOs themselves suffering more from stress. Nominet’s report also discovered that 31% of CISOs (a 2% increase on last year) feel the impact of stress has affected their ability to do their job. This could be having negative impacts on organizations as a whole, not to mention exacerbating the fact that the average tenure of a CISO is just over two years.
So what must be done to do exactly that?
The main learning from this report is that the work life of the CISO has not materially improved over the past year. In fact, consistent levels of high stress are becoming a greater burden on the CISO’s wellbeing and personal life. Until this stress is relieved, the CISO’s ability to deliver value to the business will be diminished as their ability to do their job is hampered and they quickly become burnt out. The responsibility for and ability to reduce the stress load on CISOs lies largely with the board, says the study.
One of the key findings of the report was that, while boards were cognizant of the stress faced by their security teams, they were doing little to address the issue. If boards want their organization to be effectively protected, they need to reduce the stress being placed on the CISO – otherwise they risk it leading to burnout.
Urgent red flag issues that need to be addressed are CISOs being expected to work overtime, CISOs feeling like their job is on the line in the case of a security breach and, most importantly, a lack of support for mental health problems. The board can address all of these areas. Doing so will significantly reduce the internal pressures on the CISO and foster a healthier working environment, the report authors recommend.
The first step is to raise awareness of the challenges facing CISOs, making the boards understand the risk of cyber crime to their organization and they even appreciate that the CISO is placed under considerable stress to combat this risk, the next step is for the board to take action to help the CISO in their role, which will result in better outcomes for the business. Strong communication channels between the CISO and the board are crucial in achieving this.
With a strong and empowered CISO at the head of their security team, organizations will face less risk, be better protected, be more able to deal with a security breach when it hits, and ultimately become safer from cyber crime. As studies have shown that good organizations lead from the top, support for the Board might seem like a good idea to keep them running the business profitably.